[patch 00/16] 2.6.25-stable review - Kernel

This is a discussion on [patch 00/16] 2.6.25-stable review - Kernel ; This is the start of the stable review cycle for the 2.6.25.17 release. There are 16 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please ...

+ Reply to Thread
Results 1 to 16 of 16

Thread: [patch 00/16] 2.6.25-stable review

  1. [patch 00/16] 2.6.25-stable review


    This is the start of the stable review cycle for the 2.6.25.17 release.
    There are 16 patches in this series, all will be posted as a response
    to this one. If anyone has any issues with these being applied, please
    let us know. If anyone is a maintainer of the proper subsystem, and
    wants to add a Signed-off-by: line to the patch, please respond with it.

    These patches are sent out with a number of different people on the
    Cc: line. If you wish to be a reviewer, please email stable@kernel.org
    to add your name to the list. If you want to be off the reviewer list,
    also email us.

    Responses should be made by September 6 10:00:00 UTC. Anything received
    after that time might be too late.

    The whole patch series can be found in one patch at:
    kernel.org/pub/linux/kernel/v2.6/stable-review/patch-2.6.25.17-rc1.gz
    and the diffstat can be found below.


    thanks,

    the -stable release team


    Makefile | 2
    arch/x86/kernel/cpu/mtrr/generic.c | 15 +++++
    crypto/authenc.c | 10 ++-
    drivers/net/forcedeth.c | 4 -
    drivers/net/r8169.c | 2
    drivers/usb/class/cdc-acm.c | 2
    drivers/video/fb_defio.c | 19 +++++++
    drivers/video/fbmem.c | 4 +
    fs/cifs/file.c | 4 +
    fs/cramfs/inode.c | 84 ++++++++++++++------------------
    fs/nfsd/nfs4acl.c | 2
    include/linux/fb.h | 3 +
    mm/page_alloc.c | 7 ++
    net/sched/sch_prio.c | 16 ++++--
    net/sctp/auth.c | 7 ++
    net/sctp/endpointola.c | 4 -
    net/sctp/socket.c | 96 ++++++++++++++++++++++++++++---------
    net/sunrpc/sysctl.c | 18 +-----
    18 files changed, 198 insertions(+), 101 deletions(-)
    --
    To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
    the body of a message to majordomo@vger.kernel.org
    More majordomo info at http://vger.kernel.org/majordomo-info.html
    Please read the FAQ at http://www.tux.org/lkml/

  2. [patch 02/16] USB: cdc-acm: dont unlock acm->mutex on error path

    2.6.25-stable review patch. If anyone has any objections, please let us know.

    ------------------
    From: Alexey Dobriyan

    commit 74573ee7096a4ffc2f098108d21c85801b9c7434 upstream

    On Wed, Jul 23, 2008 at 03:52:36PM +0300, Andrei Popa wrote:
    > I installed gnokii-0.6.22-r2 and gave the command "gnokii --identify"
    > and the kernel oopsed:
    >
    > BUG: unable to handle kernel NULL pointer dereference at 00000458
    > IP: [] mutex_unlock+0x0/0xb
    > [] acm_tty_open+0x4c/0x214


    Signed-off-by: Alexey Dobriyan
    Tested-by: Andrei Popa
    Signed-off-by: Andrew Morton
    Signed-off-by: Greg Kroah-Hartman

    ---
    drivers/usb/class/cdc-acm.c | 2 +-
    1 file changed, 1 insertion(+), 1 deletion(-)

    --- a/drivers/usb/class/cdc-acm.c
    +++ b/drivers/usb/class/cdc-acm.c
    @@ -531,8 +531,8 @@ static int acm_tty_open(struct tty_struc
    tasklet_schedule(&acm->urb_task);

    done:
    -err_out:
    mutex_unlock(&acm->mutex);
    +err_out:
    mutex_unlock(&open_mutex);
    return rv;


    --
    --
    To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
    the body of a message to majordomo@vger.kernel.org
    More majordomo info at http://vger.kernel.org/majordomo-info.html
    Please read the FAQ at http://www.tux.org/lkml/

  3. [patch 08/16] fbdefio: add set_page_dirty handler to deferred IO FB

    2.6.25-stable review patch. If anyone has any objections, please let us know.

    ------------------
    From: Ian Campbell

    commit d847471d063663b9f36927d265c66a270c0cfaab upstream

    Fixes kernel BUG at lib/radix-tree.c:473.

    Previously the handler was incidentally provided by tmpfs but this was
    removed with:

    commit 14fcc23fdc78e9d32372553ccf21758a9bd56fa1
    Author: Hugh Dickins
    Date: Mon Jul 28 15:46:19 2008 -0700

    tmpfs: fix kernel BUG in shmem_delete_inode

    relying on this behaviour was incorrect in any case and the BUG also
    appeared when the device node was on an ext3 filesystem.

    v2: override a_ops at open() time rather than mmap() time to minimise
    races per AKPM's concerns.

    Signed-off-by: Ian Campbell
    Cc: Jaya Kumar
    Cc: Nick Piggin
    Cc: Peter Zijlstra
    Cc: Hugh Dickins
    Cc: Johannes Weiner
    Cc: Jeremy Fitzhardinge
    Cc: Kel Modderman
    Cc: Markus Armbruster
    Cc: Krzysztof Helt
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds
    Signed-off-by: Greg Kroah-Hartman

    ---
    drivers/video/fb_defio.c | 19 +++++++++++++++++++
    drivers/video/fbmem.c | 4 ++++
    include/linux/fb.h | 3 +++
    3 files changed, 26 insertions(+)

    --- a/drivers/video/fb_defio.c
    +++ b/drivers/video/fb_defio.c
    @@ -114,6 +114,17 @@ static struct vm_operations_struct fb_de
    .page_mkwrite = fb_deferred_io_mkwrite,
    };

    +static int fb_deferred_io_set_page_dirty(struct page *page)
    +{
    + if (!PageDirty(page))
    + SetPageDirty(page);
    + return 0;
    +}
    +
    +static const struct address_space_operations fb_deferred_io_aops = {
    + .set_page_dirty = fb_deferred_io_set_page_dirty,
    +};
    +
    static int fb_deferred_io_mmap(struct fb_info *info, struct vm_area_struct *vma)
    {
    vma->vm_ops = &fb_deferred_io_vm_ops;
    @@ -163,6 +174,14 @@ void fb_deferred_io_init(struct fb_info
    }
    EXPORT_SYMBOL_GPL(fb_deferred_io_init);

    +void fb_deferred_io_open(struct fb_info *info,
    + struct inode *inode,
    + struct file *file)
    +{
    + file->f_mapping->a_ops = &fb_deferred_io_aops;
    +}
    +EXPORT_SYMBOL_GPL(fb_deferred_io_open);
    +
    void fb_deferred_io_cleanup(struct fb_info *info)
    {
    void *screen_base = (void __force *) info->screen_base;
    --- a/drivers/video/fbmem.c
    +++ b/drivers/video/fbmem.c
    @@ -1315,6 +1315,10 @@ fb_open(struct inode *inode, struct file
    if (res)
    module_put(info->fbops->owner);
    }
    +#ifdef CONFIG_FB_DEFERRED_IO
    + if (info->fbdefio)
    + fb_deferred_io_open(info, inode, file);
    +#endif
    return res;
    }

    --- a/include/linux/fb.h
    +++ b/include/linux/fb.h
    @@ -966,6 +966,9 @@ static inline void __fb_pad_aligned_buff

    /* drivers/video/fb_defio.c */
    extern void fb_deferred_io_init(struct fb_info *info);
    +extern void fb_deferred_io_open(struct fb_info *info,
    + struct inode *inode,
    + struct file *file);
    extern void fb_deferred_io_cleanup(struct fb_info *info);
    extern int fb_deferred_io_fsync(struct file *file, struct dentry *dentry,
    int datasync);

    --
    --
    To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
    the body of a message to majordomo@vger.kernel.org
    More majordomo info at http://vger.kernel.org/majordomo-info.html
    Please read the FAQ at http://www.tux.org/lkml/

  4. [patch 11/16] cifs: fix O_APPEND on directio mounts

    2.6.25-stable review patch. If anyone has any objections, please let us know.

    ------------------
    From: Jeff Layton

    commit 838726c4756813576078203eb7e1e219db0da870 upstream

    The direct I/O write codepath for CIFS is done through
    cifs_user_write(). That function does not currently call
    generic_write_checks() so the file position isn't being properly set
    when the file is opened with O_APPEND. It's also not doing the other
    "normal" checks that should be done for a write call.

    The problem is currently that when you open a file with O_APPEND on a
    mount with the directio mount option, the file position is set to the
    beginning of the file. This makes any subsequent writes clobber the data
    in the file starting at the beginning.

    This seems to fix the problem in cursory testing. It is, however
    important to note that NFS disallows the combination of
    (O_DIRECT|O_APPEND). If my understanding is correct, the concern is
    races with multiple clients appending to a file clobbering each others'
    data. Since the write model for CIFS and NFS is pretty similar in this
    regard, CIFS is probably subject to the same sort of races. What's
    unclear to me is why this is a particular problem with O_DIRECT and not
    with buffered writes...

    Regardless, disallowing O_APPEND on an entire mount is probably not
    reasonable, so we'll probably just have to deal with it and reevaluate
    this flag combination when we get proper support for O_DIRECT. In the
    meantime this patch at least fixes the existing problem.

    Signed-off-by: Jeff Layton
    Signed-off-by: Steve French
    Signed-off-by: Greg Kroah-Hartman

    ---
    fs/cifs/file.c | 4 ++++
    1 file changed, 4 insertions(+)

    --- a/fs/cifs/file.c
    +++ b/fs/cifs/file.c
    @@ -835,6 +835,10 @@ ssize_t cifs_user_write(struct file *fil
    return -EBADF;
    open_file = (struct cifsFileInfo *) file->private_data;

    + rc = generic_write_checks(file, poffset, &write_size, 0);
    + if (rc)
    + return rc;
    +
    xid = GetXid();

    if (*poffset > file->f_path.dentry->d_inode->i_size)

    --
    --
    To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
    the body of a message to majordomo@vger.kernel.org
    More majordomo info at http://vger.kernel.org/majordomo-info.html
    Please read the FAQ at http://www.tux.org/lkml/

  5. [patch 05/16] nfsd: fix buffer overrun decoding NFSv4 acl

    2.6.25-stable review patch. If anyone has any objections, please let us know.

    ------------------
    From: J. Bruce Fields

    commit 91b80969ba466ba4b915a4a1d03add8c297add3f upstream

    The array we kmalloc() here is not large enough.

    Thanks to Johann Dahm and David Richter for bug report and testing.

    Signed-off-by: J. Bruce Fields
    Cc: David Richter
    Tested-by: Johann Dahm
    Signed-off-by: Greg Kroah-Hartman

    ---
    fs/nfsd/nfs4acl.c | 2 +-
    1 file changed, 1 insertion(+), 1 deletion(-)

    --- a/fs/nfsd/nfs4acl.c
    +++ b/fs/nfsd/nfs4acl.c
    @@ -443,7 +443,7 @@ init_state(struct posix_acl_state *state
    * enough space for either:
    */
    alloc = sizeof(struct posix_ace_state_array)
    - + cnt*sizeof(struct posix_ace_state);
    + + cnt*sizeof(struct posix_user_ace_state);
    state->users = kzalloc(alloc, GFP_KERNEL);
    if (!state->users)
    return -ENOMEM;

    --
    --
    To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
    the body of a message to majordomo@vger.kernel.org
    More majordomo info at http://vger.kernel.org/majordomo-info.html
    Please read the FAQ at http://www.tux.org/lkml/

  6. [patch 07/16] forcedeth: fix checksum flag

    2.6.25-stable review patch. If anyone has any objections, please let us know.

    ------------------
    From: Ayaz Abdulla

    commit edcfe5f7e307846e578fb88d69fa27051fded0ab upstream

    Fix the checksum feature advertised in device flags. The hardware support
    TCP/UDP over IPv4 and TCP/UDP over IPv6 (without IPv6 extension headers).
    However, the kernel feature flags do not distinguish IPv6 with/without
    extension headers.

    Therefore, the driver needs to use NETIF_F_IP_CSUM instead of
    NETIF_F_HW_CSUM since the latter includes all IPv6 packets.

    A future patch can be created to check for extension headers and perform
    software checksum calculation.

    Signed-off-by: Ayaz Abdulla
    Cc: Jeff Garzik
    Cc: Manfred Spraul
    Signed-off-by: Andrew Morton
    Signed-off-by: Jeff Garzik
    Signed-off-by: Greg Kroah-Hartman

    ---
    drivers/net/forcedeth.c | 4 ++--
    1 file changed, 2 insertions(+), 2 deletions(-)

    --- a/drivers/net/forcedeth.c
    +++ b/drivers/net/forcedeth.c
    @@ -5249,7 +5249,7 @@ static int __devinit nv_probe(struct pci
    if (id->driver_data & DEV_HAS_CHECKSUM) {
    np->rx_csum = 1;
    np->txrxctl_bits |= NVREG_TXRXCTL_RXCHECK;
    - dev->features |= NETIF_F_HW_CSUM | NETIF_F_SG;
    + dev->features |= NETIF_F_IP_CSUM | NETIF_F_SG;
    dev->features |= NETIF_F_TSO;
    }

    @@ -5548,7 +5548,7 @@ static int __devinit nv_probe(struct pci

    dev_printk(KERN_INFO, &pci_dev->dev, "%s%s%s%s%s%s%s%s%s%sdesc-v%u\n",
    dev->features & NETIF_F_HIGHDMA ? "highdma " : "",
    - dev->features & (NETIF_F_HW_CSUM | NETIF_F_SG) ?
    + dev->features & (NETIF_F_IP_CSUM | NETIF_F_SG) ?
    "csum " : "",
    dev->features & (NETIF_F_HW_VLAN_RX | NETIF_F_HW_VLAN_TX) ?
    "vlan " : "",

    --
    --
    To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
    the body of a message to majordomo@vger.kernel.org
    More majordomo info at http://vger.kernel.org/majordomo-info.html
    Please read the FAQ at http://www.tux.org/lkml/

  7. [patch 10/16] cramfs: fix named-pipe handling

    2.6.25-stable review patch. If anyone has any objections, please let us know.

    ------------------
    From: Al Viro

    commit 82d63fc9e30687c055b97928942b8893ea65b0bb upstream

    After commit a97c9bf33f4612e2aed6f000f6b1d268b6814f3c (fix cramfs
    making duplicate entries in inode cache) in kernel 2.6.14, named-pipe
    on cramfs does not work properly.

    It seems the commit make all named-pipe on cramfs share their inode
    (and named-pipe buffer).

    Make ..._test() refuse to merge inodes with ->i_ino == 1, take inode setup
    back to get_cramfs_inode() and make ->drop_inode() evict ones with ->i_ino
    == 1 immediately.

    Reported-by: Atsushi Nemoto
    Cc: Al Viro
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds
    Signed-off-by: Greg Kroah-Hartman

    ---
    fs/cramfs/inode.c | 84 ++++++++++++++++++++++++------------------------------
    1 file changed, 38 insertions(+), 46 deletions(-)

    --- a/fs/cramfs/inode.c
    +++ b/fs/cramfs/inode.c
    @@ -44,58 +44,13 @@ static DEFINE_MUTEX(read_mutex);
    static int cramfs_iget5_test(struct inode *inode, void *opaque)
    {
    struct cramfs_inode *cramfs_inode = opaque;
    -
    - if (inode->i_ino != CRAMINO(cramfs_inode))
    - return 0; /* does not match */
    -
    - if (inode->i_ino != 1)
    - return 1;
    -
    - /* all empty directories, char, block, pipe, and sock, share inode #1 */
    -
    - if ((inode->i_mode != cramfs_inode->mode) ||
    - (inode->i_gid != cramfs_inode->gid) ||
    - (inode->i_uid != cramfs_inode->uid))
    - return 0; /* does not match */
    -
    - if ((S_ISCHR(inode->i_mode) || S_ISBLK(inode->i_mode)) &&
    - (inode->i_rdev != old_decode_dev(cramfs_inode->size)))
    - return 0; /* does not match */
    -
    - return 1; /* matches */
    + return inode->i_ino == CRAMINO(cramfs_inode) && inode->i_ino != 1;
    }

    static int cramfs_iget5_set(struct inode *inode, void *opaque)
    {
    - static struct timespec zerotime;
    struct cramfs_inode *cramfs_inode = opaque;
    - inode->i_mode = cramfs_inode->mode;
    - inode->i_uid = cramfs_inode->uid;
    - inode->i_size = cramfs_inode->size;
    - inode->i_blocks = (cramfs_inode->size - 1) / 512 + 1;
    - inode->i_gid = cramfs_inode->gid;
    - /* Struct copy intentional */
    - inode->i_mtime = inode->i_atime = inode->i_ctime = zerotime;
    inode->i_ino = CRAMINO(cramfs_inode);
    - /* inode->i_nlink is left 1 - arguably wrong for directories,
    - but it's the best we can do without reading the directory
    - contents. 1 yields the right result in GNU find, even
    - without -noleaf option. */
    - if (S_ISREG(inode->i_mode)) {
    - inode->i_fop = &generic_ro_fops;
    - inode->i_data.a_ops = &cramfs_aops;
    - } else if (S_ISDIR(inode->i_mode)) {
    - inode->i_op = &cramfs_dir_inode_operations;
    - inode->i_fop = &cramfs_directory_operations;
    - } else if (S_ISLNK(inode->i_mode)) {
    - inode->i_op = &page_symlink_inode_operations;
    - inode->i_data.a_ops = &cramfs_aops;
    - } else {
    - inode->i_size = 0;
    - inode->i_blocks = 0;
    - init_special_inode(inode, inode->i_mode,
    - old_decode_dev(cramfs_inode->size));
    - }
    return 0;
    }

    @@ -105,12 +60,48 @@ static struct inode *get_cramfs_inode(st
    struct inode *inode = iget5_locked(sb, CRAMINO(cramfs_inode),
    cramfs_iget5_test, cramfs_iget5_set,
    cramfs_inode);
    + static struct timespec zerotime;
    +
    if (inode && (inode->i_state & I_NEW)) {
    + inode->i_mode = cramfs_inode->mode;
    + inode->i_uid = cramfs_inode->uid;
    + inode->i_size = cramfs_inode->size;
    + inode->i_blocks = (cramfs_inode->size - 1) / 512 + 1;
    + inode->i_gid = cramfs_inode->gid;
    + /* Struct copy intentional */
    + inode->i_mtime = inode->i_atime = inode->i_ctime = zerotime;
    + /* inode->i_nlink is left 1 - arguably wrong for directories,
    + but it's the best we can do without reading the directory
    + contents. 1 yields the right result in GNU find, even
    + without -noleaf option. */
    + if (S_ISREG(inode->i_mode)) {
    + inode->i_fop = &generic_ro_fops;
    + inode->i_data.a_ops = &cramfs_aops;
    + } else if (S_ISDIR(inode->i_mode)) {
    + inode->i_op = &cramfs_dir_inode_operations;
    + inode->i_fop = &cramfs_directory_operations;
    + } else if (S_ISLNK(inode->i_mode)) {
    + inode->i_op = &page_symlink_inode_operations;
    + inode->i_data.a_ops = &cramfs_aops;
    + } else {
    + inode->i_size = 0;
    + inode->i_blocks = 0;
    + init_special_inode(inode, inode->i_mode,
    + old_decode_dev(cramfs_inode->size));
    + }
    unlock_new_inode(inode);
    }
    return inode;
    }

    +static void cramfs_drop_inode(struct inode *inode)
    +{
    + if (inode->i_ino == 1)
    + generic_delete_inode(inode);
    + else
    + generic_drop_inode(inode);
    +}
    +
    /*
    * We have our own block cache: don't fill up the buffer cache
    * with the rom-image, because the way the filesystem is set
    @@ -535,6 +526,7 @@ static const struct super_operations cra
    .put_super = cramfs_put_super,
    .remount_fs = cramfs_remount,
    .statfs = cramfs_statfs,
    + .drop_inode = cramfs_drop_inode,
    };

    static int cramfs_get_sb(struct file_system_type *fs_type,

    --
    --
    To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
    the body of a message to majordomo@vger.kernel.org
    More majordomo info at http://vger.kernel.org/majordomo-info.html
    Please read the FAQ at http://www.tux.org/lkml/

  8. [patch 12/16] sctp: fix potential panics in the SCTP-AUTH API.

    2.6.25-stable review patch. If anyone has any objections, please let us know.

    ------------------
    From: Vlad Yasevich

    [ Upstream commit 5e739d1752aca4e8f3e794d431503bfca3162df4 ]

    All of the SCTP-AUTH socket options could cause a panic
    if the extension is disabled and the API is envoked.

    Additionally, there were some additional assumptions that
    certain pointers would always be valid which may not
    always be the case.

    This patch hardens the API and address all of the crash
    scenarios.

    Signed-off-by: Vlad Yasevich
    Signed-off-by: David S. Miller
    Signed-off-by: Greg Kroah-Hartman

    ---
    net/sctp/endpointola.c | 4 +-
    net/sctp/socket.c | 85 +++++++++++++++++++++++++++++++++++++------------
    2 files changed, 67 insertions(+), 22 deletions(-)

    --- a/net/sctp/endpointola.c
    +++ b/net/sctp/endpointola.c
    @@ -103,6 +103,7 @@ static struct sctp_endpoint *sctp_endpoi

    /* Initialize the CHUNKS parameter */
    auth_chunks->param_hdr.type = SCTP_PARAM_CHUNKS;
    + auth_chunks->param_hdr.length = htons(sizeof(sctp_paramhdr_t));

    /* If the Add-IP functionality is enabled, we must
    * authenticate, ASCONF and ASCONF-ACK chunks
    @@ -110,8 +111,7 @@ static struct sctp_endpoint *sctp_endpoi
    if (sctp_addip_enable) {
    auth_chunks->chunks[0] = SCTP_CID_ASCONF;
    auth_chunks->chunks[1] = SCTP_CID_ASCONF_ACK;
    - auth_chunks->param_hdr.length =
    - htons(sizeof(sctp_paramhdr_t) + 2);
    + auth_chunks->param_hdr.length += htons(2);
    }
    }

    --- a/net/sctp/socket.c
    +++ b/net/sctp/socket.c
    @@ -2983,6 +2983,9 @@ static int sctp_setsockopt_auth_chunk(st
    {
    struct sctp_authchunk val;

    + if (!sctp_auth_enable)
    + return -EACCES;
    +
    if (optlen != sizeof(struct sctp_authchunk))
    return -EINVAL;
    if (copy_from_user(&val, optval, optlen))
    @@ -3013,6 +3016,9 @@ static int sctp_setsockopt_hmac_ident(st
    struct sctp_hmacalgo *hmacs;
    int err;

    + if (!sctp_auth_enable)
    + return -EACCES;
    +
    if (optlen < sizeof(struct sctp_hmacalgo))
    return -EINVAL;

    @@ -3051,6 +3057,9 @@ static int sctp_setsockopt_auth_key(stru
    struct sctp_association *asoc;
    int ret;

    + if (!sctp_auth_enable)
    + return -EACCES;
    +
    if (optlen <= sizeof(struct sctp_authkey))
    return -EINVAL;

    @@ -3088,6 +3097,9 @@ static int sctp_setsockopt_active_key(st
    struct sctp_authkeyid val;
    struct sctp_association *asoc;

    + if (!sctp_auth_enable)
    + return -EACCES;
    +
    if (optlen != sizeof(struct sctp_authkeyid))
    return -EINVAL;
    if (copy_from_user(&val, optval, optlen))
    @@ -3113,6 +3125,9 @@ static int sctp_setsockopt_del_key(struc
    struct sctp_authkeyid val;
    struct sctp_association *asoc;

    + if (!sctp_auth_enable)
    + return -EACCES;
    +
    if (optlen != sizeof(struct sctp_authkeyid))
    return -EINVAL;
    if (copy_from_user(&val, optval, optlen))
    @@ -5073,19 +5088,29 @@ static int sctp_getsockopt_maxburst(stru
    static int sctp_getsockopt_hmac_ident(struct sock *sk, int len,
    char __user *optval, int __user *optlen)
    {
    + struct sctp_hmacalgo __user *p = (void __user *)optval;
    struct sctp_hmac_algo_param *hmacs;
    - __u16 param_len;
    + __u16 data_len = 0;
    + u32 num_idents;
    +
    + if (!sctp_auth_enable)
    + return -EACCES;

    hmacs = sctp_sk(sk)->ep->auth_hmacs_list;
    - param_len = ntohs(hmacs->param_hdr.length);
    + data_len = ntohs(hmacs->param_hdr.length) - sizeof(sctp_paramhdr_t);

    - if (len < param_len)
    + if (len < sizeof(struct sctp_hmacalgo) + data_len)
    return -EINVAL;
    +
    + len = sizeof(struct sctp_hmacalgo) + data_len;
    + num_idents = data_len / sizeof(u16);
    +
    if (put_user(len, optlen))
    return -EFAULT;
    - if (copy_to_user(optval, hmacs->hmac_ids, len))
    + if (put_user(num_idents, &p->shmac_num_idents))
    + return -EFAULT;
    + if (copy_to_user(p->shmac_idents, hmacs->hmac_ids, data_len))
    return -EFAULT;
    -
    return 0;
    }

    @@ -5095,6 +5120,9 @@ static int sctp_getsockopt_active_key(st
    struct sctp_authkeyid val;
    struct sctp_association *asoc;

    + if (!sctp_auth_enable)
    + return -EACCES;
    +
    if (len < sizeof(struct sctp_authkeyid))
    return -EINVAL;
    if (copy_from_user(&val, optval, sizeof(struct sctp_authkeyid)))
    @@ -5109,6 +5137,12 @@ static int sctp_getsockopt_active_key(st
    else
    val.scact_keynumber = sctp_sk(sk)->ep->active_key_id;

    + len = sizeof(struct sctp_authkeyid);
    + if (put_user(len, optlen))
    + return -EFAULT;
    + if (copy_to_user(optval, &val, len))
    + return -EFAULT;
    +
    return 0;
    }

    @@ -5119,13 +5153,16 @@ static int sctp_getsockopt_peer_auth_chu
    struct sctp_authchunks val;
    struct sctp_association *asoc;
    struct sctp_chunks_param *ch;
    - u32 num_chunks;
    + u32 num_chunks = 0;
    char __user *to;

    - if (len <= sizeof(struct sctp_authchunks))
    + if (!sctp_auth_enable)
    + return -EACCES;
    +
    + if (len < sizeof(struct sctp_authchunks))
    return -EINVAL;

    - if (copy_from_user(&val, p, sizeof(struct sctp_authchunks)))
    + if (copy_from_user(&val, optval, sizeof(struct sctp_authchunks)))
    return -EFAULT;

    to = p->gauth_chunks;
    @@ -5134,20 +5171,21 @@ static int sctp_getsockopt_peer_auth_chu
    return -EINVAL;

    ch = asoc->peer.peer_chunks;
    + if (!ch)
    + goto num;

    /* See if the user provided enough room for all the data */
    num_chunks = ntohs(ch->param_hdr.length) - sizeof(sctp_paramhdr_t);
    if (len < num_chunks)
    return -EINVAL;

    - len = num_chunks;
    - if (put_user(len, optlen))
    + if (copy_to_user(to, ch->chunks, num_chunks))
    return -EFAULT;
    +num:
    + len = sizeof(struct sctp_authchunks) + num_chunks;
    + if (put_user(len, optlen)) return -EFAULT;
    if (put_user(num_chunks, &p->gauth_number_of_chunks))
    return -EFAULT;
    - if (copy_to_user(to, ch->chunks, len))
    - return -EFAULT;
    -
    return 0;
    }

    @@ -5158,13 +5196,16 @@ static int sctp_getsockopt_local_auth_ch
    struct sctp_authchunks val;
    struct sctp_association *asoc;
    struct sctp_chunks_param *ch;
    - u32 num_chunks;
    + u32 num_chunks = 0;
    char __user *to;

    - if (len <= sizeof(struct sctp_authchunks))
    + if (!sctp_auth_enable)
    + return -EACCES;
    +
    + if (len < sizeof(struct sctp_authchunks))
    return -EINVAL;

    - if (copy_from_user(&val, p, sizeof(struct sctp_authchunks)))
    + if (copy_from_user(&val, optval, sizeof(struct sctp_authchunks)))
    return -EFAULT;

    to = p->gauth_chunks;
    @@ -5177,17 +5218,21 @@ static int sctp_getsockopt_local_auth_ch
    else
    ch = sctp_sk(sk)->ep->auth_chunk_list;

    + if (!ch)
    + goto num;
    +
    num_chunks = ntohs(ch->param_hdr.length) - sizeof(sctp_paramhdr_t);
    - if (len < num_chunks)
    + if (len < sizeof(struct sctp_authchunks) + num_chunks)
    return -EINVAL;

    - len = num_chunks;
    + if (copy_to_user(to, ch->chunks, num_chunks))
    + return -EFAULT;
    +num:
    + len = sizeof(struct sctp_authchunks) + num_chunks;
    if (put_user(len, optlen))
    return -EFAULT;
    if (put_user(num_chunks, &p->gauth_number_of_chunks))
    return -EFAULT;
    - if (copy_to_user(to, ch->chunks, len))
    - return -EFAULT;

    return 0;
    }

    --
    --
    To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
    the body of a message to majordomo@vger.kernel.org
    More majordomo info at http://vger.kernel.org/majordomo-info.html
    Please read the FAQ at http://www.tux.org/lkml/

  9. [patch 06/16] mm: make setup_zone_migrate_reserve() aware of overlapping nodes

    2.6.25-stable review patch. If anyone has any objections, please let us know.

    ------------------
    From: Adam Litke

    commit 344c790e3821dac37eb742ddd0b611a300f78b9a upstream

    I have gotten to the root cause of the hugetlb badness I reported back on
    August 15th. My system has the following memory topology (note the
    overlapping node):

    Node 0 Memory: 0x8000000-0x44000000
    Node 1 Memory: 0x0-0x8000000 0x44000000-0x80000000

    setup_zone_migrate_reserve() scans the address range 0x0-0x8000000 looking
    for a pageblock to move onto the MIGRATE_RESERVE list. Finding no
    candidates, it happily continues the scan into 0x8000000-0x44000000. When
    a pageblock is found, the pages are moved to the MIGRATE_RESERVE list on
    the wrong zone. Oops.

    setup_zone_migrate_reserve() should skip pageblocks in overlapping nodes.

    Signed-off-by: Adam Litke
    Acked-by: Mel Gorman
    Cc: Dave Hansen
    Cc: Nishanth Aravamudan
    Cc: Andy Whitcroft
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds
    Signed-off-by: Greg Kroah-Hartman

    ---
    mm/page_alloc.c | 7 +++++++
    1 file changed, 7 insertions(+)

    --- a/mm/page_alloc.c
    +++ b/mm/page_alloc.c
    @@ -717,6 +717,9 @@ int move_freepages(struct zone *zone,
    #endif

    for (page = start_page; page <= end_page {
    + /* Make sure we are not inadvertently changing nodes */
    + VM_BUG_ON(page_to_nid(page) != zone_to_nid(zone));
    +
    if (!pfn_valid_within(page_to_pfn(page))) {
    page++;
    continue;
    @@ -2476,6 +2479,10 @@ static void setup_zone_migrate_reserve(s
    continue;
    page = pfn_to_page(pfn);

    + /* Watch out for overlapping nodes */
    + if (page_to_nid(page) != zone_to_nid(zone))
    + continue;
    +
    /* Blocks with reserved pages will never free, skip them. */
    if (PageReserved(page))
    continue;

    --
    --
    To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
    the body of a message to majordomo@vger.kernel.org
    More majordomo info at http://vger.kernel.org/majordomo-info.html
    Please read the FAQ at http://www.tux.org/lkml/

  10. [patch 13/16] sctp: add verification checks to SCTP_AUTH_KEY option

    2.6.25-stable review patch. If anyone has any objections, please let us know.

    ------------------
    From: Vlad Yasevich

    [ Upstream commit 30c2235cbc477d4629983d440cdc4f496fec9246 ]

    The structure used for SCTP_AUTH_KEY option contains a
    length that needs to be verfied to prevent buffer overflow
    conditions. Spoted by Eugene Teo .

    Signed-off-by: Vlad Yasevich
    Signed-off-by: David S. Miller
    Signed-off-by: Greg Kroah-Hartman

    ---
    net/sctp/auth.c | 4 ++++
    net/sctp/socket.c | 5 +++++
    2 files changed, 9 insertions(+)

    --- a/net/sctp/auth.c
    +++ b/net/sctp/auth.c
    @@ -80,6 +80,10 @@ static struct sctp_auth_bytes *sctp_auth
    {
    struct sctp_auth_bytes *key;

    + /* Verify that we are not going to overflow INT_MAX */
    + if ((INT_MAX - key_len) < sizeof(struct sctp_auth_bytes))
    + return NULL;
    +
    /* Allocate the shared key */
    key = kmalloc(sizeof(struct sctp_auth_bytes) + key_len, gfp);
    if (!key)
    --- a/net/sctp/socket.c
    +++ b/net/sctp/socket.c
    @@ -3072,6 +3072,11 @@ static int sctp_setsockopt_auth_key(stru
    goto out;
    }

    + if (authkey->sca_keylength > optlen) {
    + ret = -EINVAL;
    + goto out;
    + }
    +
    asoc = sctp_id2assoc(sk, authkey->sca_assoc_id);
    if (!asoc && authkey->sca_assoc_id && sctp_style(sk, UDP)) {
    ret = -EINVAL;

    --
    --
    To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
    the body of a message to majordomo@vger.kernel.org
    More majordomo info at http://vger.kernel.org/majordomo-info.html
    Please read the FAQ at http://www.tux.org/lkml/

  11. [patch 16/16] sch_prio: Fix nla_parse_nested_compat() regression

    2.6.25-stable review patch. If anyone has any objections, please let us know.

    ------------------
    From: Thomas Graf

    [ No upstream commit, this is fixing code no longer in 2.6.27 ]

    nla_parse_nested_compat() was used to parse two different message
    formats in the netem and prio qdisc, when it was "fixed" to work
    with netem, it broke the multi queue support in the prio qdisc.
    Since the prio qdisc code in question is already removed in the
    development tree, this patch only fixes the regression in the
    stable tree.

    Based on original patch from Alexander H Duyck

    Signed-off-by: Thomas Graf
    Signed-off-by: David S. Miller
    Signed-off-by: Greg Kroah-Hartman

    ---
    net/sched/sch_prio.c | 16 +++++++++++-----
    1 file changed, 11 insertions(+), 5 deletions(-)

    --- a/net/sched/sch_prio.c
    +++ b/net/sched/sch_prio.c
    @@ -228,14 +228,20 @@ static int prio_tune(struct Qdisc *sch,
    {
    struct prio_sched_data *q = qdisc_priv(sch);
    struct tc_prio_qopt *qopt;
    - struct nlattr *tb[TCA_PRIO_MAX + 1];
    + struct nlattr *tb[TCA_PRIO_MAX + 1] = {0};
    int err;
    int i;

    - err = nla_parse_nested_compat(tb, TCA_PRIO_MAX, opt, NULL, qopt,
    - sizeof(*qopt));
    - if (err < 0)
    - return err;
    + qopt = nla_data(opt);
    + if (nla_len(opt) < sizeof(*qopt))
    + return -1;
    +
    + if (nla_len(opt) >= sizeof(*qopt) + sizeof(struct nlattr)) {
    + err = nla_parse_nested(tb, TCA_PRIO_MAX,
    + (struct nlattr *) (qopt + 1), NULL);
    + if (err < 0)
    + return err;
    + }

    q->bands = qopt->bands;
    /* If we're multiqueue, make sure the number of incoming bands

    --
    --
    To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
    the body of a message to majordomo@vger.kernel.org
    More majordomo info at http://vger.kernel.org/majordomo-info.html
    Please read the FAQ at http://www.tux.org/lkml/

  12. [patch 03/16] sunrpc: fix possible overrun on read of /proc/sys/sunrpc/transports


    2.6.25-stable review patch. If anyone has any objections, please let us know.

    ------------------
    From: Cyrill Gorcunov

    commit 27df6f25ff218072e0e879a96beeb398a79cdbc8 upstream

    Vegard Nossum reported
    ----------------------
    > I noticed that something weird is going on with /proc/sys/sunrpc/transports.
    > This file is generated in net/sunrpc/sysctl.c, function proc_do_xprt(). When
    > I "cat" this file, I get the expected output:
    > $ cat /proc/sys/sunrpc/transports
    > tcp 1048576
    > udp 32768


    > But I think that it does not check the length of the buffer supplied by
    > userspace to read(). With my original program, I found that the stack was
    > being overwritten by the characters above, even when the length given to
    > read() was just 1.


    David Wagner added (among other things) that copy_to_user could be
    probably used here.

    Ingo Oeser suggested to use simple_read_from_buffer() here.

    The conclusion is that proc_do_xprt doesn't check for userside buffer
    size indeed so fix this by using Ingo's suggestion.

    Reported-by: Vegard Nossum
    Signed-off-by: Cyrill Gorcunov
    CC: Ingo Oeser
    Cc: Neil Brown
    Cc: Chuck Lever
    Cc: Greg Banks
    Cc: Tom Tucker
    Signed-off-by: J. Bruce Fields
    Signed-off-by: Greg Kroah-Hartman

    ---
    net/sunrpc/sysctl.c | 18 ++++--------------
    1 file changed, 4 insertions(+), 14 deletions(-)

    --- a/net/sunrpc/sysctl.c
    +++ b/net/sunrpc/sysctl.c
    @@ -60,24 +60,14 @@ static int proc_do_xprt(ctl_table *table
    void __user *buffer, size_t *lenp, loff_t *ppos)
    {
    char tmpbuf[256];
    - int len;
    + size_t len;
    +
    if ((*ppos && !write) || !*lenp) {
    *lenp = 0;
    return 0;
    }
    - if (write)
    - return -EINVAL;
    - else {
    - len = svc_print_xprts(tmpbuf, sizeof(tmpbuf));
    - if (!access_ok(VERIFY_WRITE, buffer, len))
    - return -EFAULT;
    -
    - if (__copy_to_user(buffer, tmpbuf, len))
    - return -EFAULT;
    - }
    - *lenp -= len;
    - *ppos += len;
    - return 0;
    + len = svc_print_xprts(tmpbuf, sizeof(tmpbuf));
    + return simple_read_from_buffer(buffer, *lenp, ppos, tmpbuf, len);
    }

    static int

    --
    --
    To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
    the body of a message to majordomo@vger.kernel.org
    More majordomo info at http://vger.kernel.org/majordomo-info.html
    Please read the FAQ at http://www.tux.org/lkml/

  13. [patch 09/16] crypto: authenc - Avoid using clobbered request pointer

    2.6.25-stable review patch. If anyone has any objections, please let us know.

    ------------------
    From: Herbert Xu

    crypto: authenc - Avoid using clobbered request pointer

    [ Upstream commit: a697690bece75d4ba424c1318eb25c37d41d5829 ]

    Authenc works in two stages for encryption, it first encrypts and
    then computes an ICV. The context memory of the request is used
    by both operations. The problem is that when an asynchronous
    encryption completes, we will compute the ICV and then reread the
    context memory of the encryption to get the original request.

    It just happens that we have a buffer of 16 bytes in front of the
    request pointer, so ICVs of 16 bytes (such as SHA1) do not trigger
    the bug. However, any attempt to uses a larger ICV instantly kills
    the machine when the first asynchronous encryption is completed.

    This patch fixes this by saving the request pointer before we start
    the ICV computation.

    Signed-off-by: Herbert Xu
    Signed-off-by: Greg Kroah-Hartman

    ---
    crypto/authenc.c | 10 ++++++----
    1 file changed, 6 insertions(+), 4 deletions(-)

    --- a/crypto/authenc.c
    +++ b/crypto/authenc.c
    @@ -174,8 +174,9 @@ static int crypto_authenc_genicv(struct
    static void crypto_authenc_encrypt_done(struct crypto_async_request *req,
    int err)
    {
    + struct aead_request *areq = req->data;
    +
    if (!err) {
    - struct aead_request *areq = req->data;
    struct crypto_aead *authenc = crypto_aead_reqtfm(areq);
    struct crypto_authenc_ctx *ctx = crypto_aead_ctx(authenc);
    struct ablkcipher_request *abreq = aead_request_ctx(areq);
    @@ -185,7 +186,7 @@ static void crypto_authenc_encrypt_done(
    err = crypto_authenc_genicv(areq, iv, 0);
    }

    - aead_request_complete(req->data, err);
    + aead_request_complete(areq, err);
    }

    static int crypto_authenc_encrypt(struct aead_request *req)
    @@ -216,14 +217,15 @@ static int crypto_authenc_encrypt(struct
    static void crypto_authenc_givencrypt_done(struct crypto_async_request *req,
    int err)
    {
    + struct aead_request *areq = req->data;
    +
    if (!err) {
    - struct aead_request *areq = req->data;
    struct skcipher_givcrypt_request *greq = aead_request_ctx(areq);

    err = crypto_authenc_genicv(areq, greq->giv, 0);
    }

    - aead_request_complete(req->data, err);
    + aead_request_complete(areq, err);
    }

    static int crypto_authenc_givencrypt(struct aead_givcrypt_request *req)

    --
    --
    To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
    the body of a message to majordomo@vger.kernel.org
    More majordomo info at http://vger.kernel.org/majordomo-info.html
    Please read the FAQ at http://www.tux.org/lkml/

  14. [patch 15/16] sctp: fix random memory dereference with SCTP_HMAC_IDENT option.

    2.6.25-stable review patch. If anyone has any objections, please let us know.

    ------------------
    From: Vlad Yasevich

    [ Upstream commit d97240552cd98c4b07322f30f66fd9c3ba4171de ]

    The number of identifiers needs to be checked against the option
    length. Also, the identifier index provided needs to be verified
    to make sure that it doesn't exceed the bounds of the array.

    Signed-off-by: Vlad Yasevich
    Signed-off-by: David S. Miller
    Signed-off-by: Greg Kroah-Hartman

    ---
    net/sctp/auth.c | 3 +++
    net/sctp/socket.c | 6 ++++--
    2 files changed, 7 insertions(+), 2 deletions(-)

    --- a/net/sctp/auth.c
    +++ b/net/sctp/auth.c
    @@ -786,6 +786,9 @@ int sctp_auth_ep_set_hmacs(struct sctp_e
    for (i = 0; i < hmacs->shmac_num_idents; i++) {
    id = hmacs->shmac_idents[i];

    + if (id > SCTP_AUTH_HMAC_ID_MAX)
    + return -EOPNOTSUPP;
    +
    if (SCTP_AUTH_HMAC_ID_SHA1 == id)
    has_sha1 = 1;

    --- a/net/sctp/socket.c
    +++ b/net/sctp/socket.c
    @@ -3014,6 +3014,7 @@ static int sctp_setsockopt_hmac_ident(st
    int optlen)
    {
    struct sctp_hmacalgo *hmacs;
    + u32 idents;
    int err;

    if (!sctp_auth_enable)
    @@ -3031,8 +3032,9 @@ static int sctp_setsockopt_hmac_ident(st
    goto out;
    }

    - if (hmacs->shmac_num_idents == 0 ||
    - hmacs->shmac_num_idents > SCTP_AUTH_NUM_HMACS) {
    + idents = hmacs->shmac_num_idents;
    + if (idents == 0 || idents > SCTP_AUTH_NUM_HMACS ||
    + (idents * sizeof(u16)) > (optlen - sizeof(struct sctp_hmacalgo))) {
    err = -EINVAL;
    goto out;
    }

    --
    --
    To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
    the body of a message to majordomo@vger.kernel.org
    More majordomo info at http://vger.kernel.org/majordomo-info.html
    Please read the FAQ at http://www.tux.org/lkml/

  15. [patch 04/16] r8169: balance pci_map / pci_unmap pair

    2.6.25-stable review patch. If anyone has any objections, please let us know.

    ------------------
    From: Francois Romieu

    commit a866bbf6aacf95f849810079442a20be118ce905 upstream

    The leak hurts with swiotlb and jumbo frames.

    Fix http://bugzilla.kernel.org/show_bug.cgi?id=9468.

    Heavily hinted by Ilpo Järvinen .

    Signed-off-by: Francois Romieu
    Tested-by: Alistair John Strachan
    Tested-by: Timothy J Fontaine
    Cc: Edward Hsu
    Signed-off-by: Jeff Garzik
    Signed-off-by: Greg Kroah-Hartman

    ---
    drivers/net/r8169.c | 2 +-
    1 file changed, 1 insertion(+), 1 deletion(-)

    --- a/drivers/net/r8169.c
    +++ b/drivers/net/r8169.c
    @@ -2822,7 +2822,7 @@ static int rtl8169_rx_interrupt(struct n
    pkt_size, PCI_DMA_FROMDEVICE);
    rtl8169_mark_to_asic(desc, tp->rx_buf_sz);
    } else {
    - pci_unmap_single(pdev, addr, pkt_size,
    + pci_unmap_single(pdev, addr, tp->rx_buf_sz,
    PCI_DMA_FROMDEVICE);
    tp->Rx_skbuff[entry] = NULL;
    }

    --
    --
    To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
    the body of a message to majordomo@vger.kernel.org
    More majordomo info at http://vger.kernel.org/majordomo-info.html
    Please read the FAQ at http://www.tux.org/lkml/

  16. [patch 14/16] sctp: correct bounds check in sctp_setsockopt_auth_key

    2.6.25-stable review patch. If anyone has any objections, please let us know.

    ------------------
    From: Vlad Yasevich

    [ Upstream commit 328fc47ea0bcc27d9afa69c3ad6e52431cadd76c ]

    The bonds check to prevent buffer overlflow was not exactly
    right. It still allowed overflow of up to 8 bytes which is
    sizeof(struct sctp_authkey).

    Since optlen is already checked against the size of that struct,
    we are guaranteed not to cause interger overflow either.

    Signed-off-by: Vlad Yasevich
    Signed-off-by: David S. Miller
    Signed-off-by: Greg Kroah-Hartman

    ---
    net/sctp/socket.c | 2 +-
    1 file changed, 1 insertion(+), 1 deletion(-)

    --- a/net/sctp/socket.c
    +++ b/net/sctp/socket.c
    @@ -3072,7 +3072,7 @@ static int sctp_setsockopt_auth_key(stru
    goto out;
    }

    - if (authkey->sca_keylength > optlen) {
    + if (authkey->sca_keylength > optlen - sizeof(struct sctp_authkey)) {
    ret = -EINVAL;
    goto out;
    }

    --
    --
    To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
    the body of a message to majordomo@vger.kernel.org
    More majordomo info at http://vger.kernel.org/majordomo-info.html
    Please read the FAQ at http://www.tux.org/lkml/

+ Reply to Thread